diff --git a/server/auth.go b/server/auth.go
index d435c55..8d0f106 100644
--- a/server/auth.go
+++ b/server/auth.go
@@ -67,7 +67,7 @@ func (h *HttpServer) OptionalAuthentication(next UserHandler) httprouter.Handle
 			http.Error(rw, err.Error(), http.StatusInternalServerError)
 			return
 		}
-		if auth.IsGuest() && !h.readLoginDataCookie(rw, req, &auth) {
+		if auth.IsGuest() && h.readLoginDataCookie(rw, req, &auth) {
 			return
 		}
 		next(rw, req, params, auth)
diff --git a/server/login.go b/server/login.go
index 77b371f..2d5cca2 100644
--- a/server/login.go
+++ b/server/login.go
@@ -200,11 +200,11 @@ func (h *HttpServer) readLoginDataCookie(rw http.ResponseWriter, req *http.Reque
 
 	sessionData, done := h.fetchUserInfo(rw, err, sso, token)
 	if !done {
-		return false
+		return true
 	}
 
 	u.Data = sessionData
-	return true
+	return false
 }
 
 func (h *HttpServer) fetchUserInfo(rw http.ResponseWriter, err error, sso *issuer.WellKnownOIDC, token *oauth2.Token) (SessionData, bool) {
diff --git a/server/manage-apps.go b/server/manage-apps.go
index 4083a26..f4b56ee 100644
--- a/server/manage-apps.go
+++ b/server/manage-apps.go
@@ -84,7 +84,7 @@ func (h *HttpServer) ManageAppsPost(rw http.ResponseWriter, req *http.Request, _
 		}) {
 			return
 		}
-		if HasRole(roles, "lavender:admin") {
+		if !HasRole(roles, "lavender:admin") {
 			http.Error(rw, "400 Bad Request: Only admin users can create SSO client applications", http.StatusBadRequest)
 			return
 		}
diff --git a/server/manage-users.go b/server/manage-users.go
index fe5fce0..ecf8e38 100644
--- a/server/manage-users.go
+++ b/server/manage-users.go
@@ -33,7 +33,7 @@ func (h *HttpServer) ManageUsersGet(rw http.ResponseWriter, req *http.Request, _
 	}) {
 		return
 	}
-	if HasRole(roles, "lavender:admin") {
+	if !HasRole(roles, "lavender:admin") {
 		http.Error(rw, "403 Forbidden", http.StatusForbidden)
 		return
 	}
@@ -76,7 +76,7 @@ func (h *HttpServer) ManageUsersPost(rw http.ResponseWriter, req *http.Request,
 	}) {
 		return
 	}
-	if HasRole(roles, "lavender:admin") {
+	if !HasRole(roles, "lavender:admin") {
 		http.Error(rw, "400 Bad Request: Only admin users can manage users", http.StatusBadRequest)
 		return
 	}
diff --git a/test-client/index.html b/test-client/index.html
index a54115b..26b9261 100644
--- a/test-client/index.html
+++ b/test-client/index.html
@@ -7,7 +7,7 @@
         let currentTokens = null;
         const ssoService = "http://localhost:9090";
 
-        POP2.init(ssoService + "/authorize", "a", "openid profile", 500, 600);
+        POP2.init(ssoService + "/authorize", "f4cdb93d-fe28-427b-b037-f03f44c86a16", "openid profile", 500, 600);
 
         function updateTokenInfo(data) {
             currentTokens = data.tokens;